I have the following case happening. I have an application that is configured to send data via a webhook like push method via HTTP rest api whenever data is inserted in the application database. Im using this functionality to make a backup like external archive of this data using ELK.
So in logstash, my input is accepting the HTTP inputs and I am getting docs in Kibana. Here is my input config:
http {
host => "host ip"
port => "listening port"
add_field => { "identifying_field" => "app_backup"}
}
Which works fine, my problem is during the filter.
filter {
xml {
source => "message"
target => "Omni"
force_array => false
store_xml => true
}
The XML message is being applied with the target, so I am getting it prepended to the elements in the message. But the problem I am seeing is that sometimes the message results in 1 instance attribute, or an array of instance attributes, from the application. This makes renaming the fields or parsing it unstable. Here is an example of the field in kibana if message just returns one instance:
Omni.instance.attribute -
{
"id": "sample data"
}
and here is an array that is returned in the message:
Omni.instance -
{
"attribute": [
{
"id": "sample data"
},
{
"id2": "sample data2"
}
]
}
So my question is that is there a way in logstash config to loop through events in the target message, whether it returns object, or an array of objects? Because the field structure here is unstable im having trouble parsing it. Im trying do something like
add_field => {
data_field_name => "%{[Omni][instance][attribute][id]}"
}
but it doesnt work with the arrays, due to the target structure.
Maybe I can write an if conditional to check if target is on dict, or list of dicts?
Thanks